Recently we found that the plugin Social Media and Share Icons (Ultimate Social Media) contained an authenticated option deletion vulnerability. The Social Media plugin is based on the code base of that plugin and contained the same vulnerable code. The only difference being that function is named sfsi_plus_DeleteSkin() in this plugin, that is located in the file /libs/controllers/sfsi_iconsUpload_contoller.php.
Proof of Concept
The following proof of concept will delete the siteurl option wp_options table, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin-ajax.php?action=plus_DeleteSkin&iconname=siteurl
- 6/23/2016 – Developer notified.
- 6/28/2016 – Version 2.4.6 released, which fixes issue.